@macmiranda @maxb just dig up once again this topic cause after all, some stuff still not clear to me.
At the moment here’s how Vault is configured and used :
2 approle are created, “admin-approle” and “ansible-approle” and are both associated to policy “admin-policy” and “ansible-policy”
The admin stuff is here to manage kv/approle without being root (so without using root token), its policy is configured that way:
# Manage all kv within mount
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Manage all AppRoles and Secrets IDs
path "auth/approle/role/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
Also, approle has been created like this :
vault write auth/approle/role/admin \
token_policies="admin-policy" \
token_ttl=720h \
token_max_ttl=720h \
Then, the ansible stuff is here to allow only one server to read and retrieve secrets and it’s configured that way :
vault policy write ansible-policy -<<EOF
# Read-only permission on secrets stored at 'kv/data/blablabla'
path "kv/data/blablabla" {
capabilities = [ "read", "list"]
}
EOF
#AppRole to be used only by ansible server
vault write auth/approle/role/ansible-approle \
token_policies="ansible-policy" \
token_ttl=720h \
token_max_ttl=720h \
secret_id_bound_cidrs="X.X.X.X/32" \
token_bound_cidrs="X.X.X.X/32" \
At the moment everything run fine manually, it means I use admin token to perform these command to retrieve a token within the ansible-approle and then use the token inside my ansible playbook.
vault read auth/approle/role/ansible-approle/role-id
vault write -force auth/approle/role/ansible-approle/secret-id
vault write auth/approle/login role_id="XXXXXXX" secret_id="YYYYYYY"
Here’s some question where i need advices :
1st question : i set 720h so 30 days for token duration on both policy, but sometimes it doesn’t last more than few days and i got a permission denied when i want to use it. Does a token is like “implicitly” revoked once someone renew it for instance ?
2nd question : when i manually do the 3 commands above, there’s a VAULT_TOKEN env variable in my server, is it ok to say that this token never expires so it means i won’t have to manually perform these operations to retrieve admin token everytime ?
3rd question: i’m trying to- include the 3 commands above inside my playbook to automatically retrieve token in my playbooks , at the moment i use this which works pretty well except when token are outdated, it means playbook have to be manually updated.
vault_var: "{{ lookup('community.hashi_vault.vault_kv2_get', 'my_secret', engine_mount_point='kv/', url='https://vault-xxxx:8200/', token='aaaaabbbbbbb') }}"
secret_value: "{{ vault_var.secret.my_secret }}"
is it a good or bad way to say : VAULT_TOKEN env var has to be set with admin token , and then, i may add within my playbook the 3 commands above to automatically authenticate and retrieve token using ansible-policy ?
(In a general way, i’m not 100% confident about the token management I set (token time to live and token max time to live) and also how to securely deal with token/approle in an ansible context)
(PS: also tried to set up vault agent but i prefer to becomemore confident in my token management first of all)
Thanks a lot for your advices dudes !